[Freeipa-users] ipa-client-install errors
Gady Notrica
gnotrica at candeal.com
Wed Apr 20 20:10:10 UTC 2016
[root at cd-s-prd-db1 krb5.include.d]# ls -l
-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca
-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin
[root at cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca
# Generated by NetworkManager
search ipa.candeal.ca
nameserver 172.20.10.40
nameserver 172.20.10.41
[root at cd-s-prd-db1 krb5.include.d]# cat localauth_plugin
[domain_realm]
.AD.candeal.ca = AD.CANDEAL.CA
AD.candeal.ca = AD.CANDEAL.CA
[capaths]
[root at cd-s-prd-db1 krb5.include.d]# uname -a
Linux cd-s-prd-db1.ipa.candeal.ca 3.10.0-327.13.1.el7.x86_64 #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
It's Centos 7.
Gady
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: April 20, 2016 4:04 PM
To: Gady Notrica; Martin Basti; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Ok, Gady sent the complete file out-of-band and the temporary krb5.conf the client installer creates looks ok. It does include files from /var/lib/sss/pubconf/krb5.include.d/. Can you see if there are any files in there and if so, what the contents are?
BTW, what distro and release of ipa-client is this?
thanks
rob
Rob Crittenden wrote:
> Gady Notrica wrote:
>> Please find below the kr5.conf. Still has with original content.
>>
>> [root at prddb1]# ipa-client-install
>>
>> Discovery was successful!
>>
>> ...
>>
>> Continue to configure the system with these values? [no]: yes
>>
>> ....
>>
>> Kerberos authentication failed: kinit: Improper format of Kerberos
>> configuration file while initializing Kerberos 5 library
>>
>> Installation failed. Rolling back changes.
>>
>> Failed to list certificates in /etc/ipa/nssdb: Command
>> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>> exit status 255
>>
>> Disabling client Kerberos and LDAP configurations
>>
>> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
>> /etc/sssd/sssd.conf.deleted
>>
>> ....
>>
>> Client uninstall complete.
>>
>> [root at prddb1]# cat /etc/krb5.conf
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>
>> dns_lookup_realm = false
>>
>> ticket_lifetime = 24h
>>
>> renew_lifetime = 7d
>>
>> forwardable = true
>>
>> rdns = false
>>
>> # default_realm = EXAMPLE.COM
>>
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>>
>> # EXAMPLE.COM = {
>>
>> # kdc = kerberos.example.com
>>
>> # admin_server = kerberos.example.com
>>
>> # }
>>
>> [domain_realm]
>>
>> # .example.com = EXAMPLE.COM
>>
>> # example.com = EXAMPLE.COM
>>
>> [root at prddb1]#
>
> Ok, I agree with the others then, we need to see the full
> ipaclient-install.log. This file looks fine which means the temporary
> one that is configured must be bad in some way. The log will tell how.
>
> rob
>
>>
>> Gady
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: April 20, 2016 3:14 PM
>> To: Gady Notrica; Martin Basti; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
>> Subject: Re: [Freeipa-users] ipa-client-install errors
>>
>> Gady Notrica wrote:
>>
>> > Thank you guys for your help.
>>
>> >
>>
>> > Still can't enroll the client. Any suggestion on the errors below?
>>
>> >
>>
>> > /Kerberos authentication failed: kinit: Improper format of
>> Kerberos
>>
>> > configuration file while initializing Kerberos 5 library/
>>
>> What does /etc/krb5.conf look like?
>>
>> > Installation failed. Rolling back changes.
>>
>> >
>>
>> > /Failed to list certificates in /etc/ipa/nssdb: Command
>>
>> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>>
>> > exit status 255/
>>
>> This is unrelated to the enrollment problem.
>>
>> rob
>>
>> >
>>
>> > Disabling client Kerberos and LDAP configurations
>>
>> >
>>
>> > Gady Notrica
>>
>> >
>>
>> > -----Original Message-----
>>
>> > From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>
>> <mailto:freeipa-users-bounces at redhat.com>
>>
>> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Gady
>> Notrica
>>
>> > Sent: April 20, 2016 2:12 PM
>>
>> > To: Rob Crittenden; Martin Basti; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
>> <mailto:freeipa-users at redhat.com>
>>
>> > Subject: Re: [Freeipa-users] ipa-client-install errors
>>
>> >
>>
>> > Any specific command in particular to remove that keytab?
>>
>> >
>>
>> > Since these don't work
>>
>> >
>>
>> > [root at cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
>>
>> > Kerberos context initialization failed
>>
>> >
>>
>> > [root at prddb1 /]# ipa-rmkeytab -p ldap/prddb1.ipa.domain.com -k
>>
>> > /etc/krb5.keytab Kerberos context initialization failed
>>
>> >
>>
>> > [root at cprddb1 /]#
>>
>> >
>>
>> > Gady
>>
>> >
>>
>> > -----Original Message-----
>>
>> >
>>
>> > From: Rob Crittenden [mailto:rcritten at redhat.com]
>>
>> >
>>
>> > Sent: April 20, 2016 1:59 PM
>>
>> >
>>
>> > To: Martin Basti; Gady Notrica; freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
>> <mailto:freeipa-users at redhat.com>
>>
>> > <mailto:freeipa-users at redhat.com>
>>
>> >
>>
>> > Subject: Re: [Freeipa-users] ipa-client-install errors
>>
>> >
>>
>> > Martin Basti wrote:
>>
>> >
>>
>> > >
>>
>> >
>>
>> > >
>>
>> >
>>
>> > > On 20.04.2016 18:00, Gady Notrica wrote:
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> Hello World,
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> I am having these errors trying to install ipa-client-install.
>>
>> > Every
>>
>> >
>>
>> > >> other machine is fine and they IPA servers are functioning
>>
>> > perfectly
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned
>> 1
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> Kerberos authentication failed: kinit: Improper format of
>> Kerberos
>>
>> >
>>
>> > >> configuration file while initializing Kerberos 5 library
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> Then I have "/Installation failed. Rolling back changes."/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> I have tried everything I know with no luck. Any idea on how
>> to
>>
>> > FIX
>>
>> >
>>
>> > >> this? Below is the full log.
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> -----------------------------------------------------------
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Continue to configure the system with these values? [no]:
>> yes/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned
>> 1/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Skipping synchronizing time with NTP server./
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /User authorized to enroll computers: admin/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Password for admin at IPA.DOMAIN.COM:/<mailto:admin at IPA.DOMAIN.COM:/>
>> <mailto:admin at IPA.DOMAIN.COM:/>
>>
>> > <mailto:admin at IPA.DOMAIN.COM:/>
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Please make sure the following ports are opened in the
>> firewall
>>
>> >
>>
>> > >> settings:/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /TCP: 80, 88, 389/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /UDP: 88 (at least one of TCP/UDP ports 88 has to be open)/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Also note that following ports are necessary for ipa-client
>>
>> > working
>>
>> >
>>
>> > >> properly after enrollment:/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /TCP: 464/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /UDP: 464, 123 (if NTP enabled)/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Kerberos authentication failed: kinit: Improper format of
>>
>> > Kerberos
>>
>> >
>>
>> > >> configuration file while initializing Kerberos 5 library/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> //
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Installation failed. Rolling back changes./
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Failed to list certificates in /etc/ipa/nssdb: Command
>>
>> >
>>
>> > >> ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned
>> non-zero
>>
>> >
>>
>> > >> exit status 255/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Disabling client Kerberos and LDAP configurations/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Redundant SSSD configuration file /etc/sssd/sssd.conf was
>> moved
>>
>> > to
>>
>> >
>>
>> > >> /etc/sssd/sssd.conf.deleted/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Restoring client configuration files/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /nscd daemon is not installed, skip configuration/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /nslcd daemon is not installed, skip configuration/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> /Client uninstall complete./
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >>
>> /---------------------------------------------------------------/
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >> Gady
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > >>
>>
>> >
>>
>> > > Hello,
>>
>> >
>>
>> > >
>>
>> >
>>
>> > > IMO you have an old invalid keytab on that machine. Can you
>>
>> > manually
>>
>> >
>>
>> > > remove it and try to reinstall client? (Of course only if you
>> are
>>
>> > sure
>>
>> >
>>
>> > > that keytab there is not needed)
>>
>> >
>>
>> > >
>>
>> >
>>
>> > > The keytab should be located here /etc/krb5.keytab
>>
>> >
>>
>> > That or /etc/krb5.conf is messed up in some way.
>>
>> >
>>
>> > rob
>>
>> >
>>
>> > --
>>
>> >
>>
>> > Manage your subscription for the Freeipa-users mailing list:
>>
>> >
>>
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> >
>>
>> > Go to http://freeipa.org for more info on the project
>>
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160420/8c144c58/attachment.htm>
More information about the Freeipa-users
mailing list